ncuaupdate · 2015-10-10 · cybersecurity ncuaupdate 10...
TRANSCRIPT
NCUA Update
October 9, 2015
Myra M. Toeppe, Regional Director Atlanta/Region III
NCUA Update
• Credit Union Trends
• Supervisory Priori<es/Regulatory Ini<a<ves
• Ques<ons
NCUA Update 2
CREDIT UNION TRENDS
NCUA Update 3
Overall Key Statistics
Na<onwide Key Sta<s<cs
2008 2009 2010 2011 2012 2013 2014 2Q 2015
# of FICUs 7,806 7,554 7,339 7,094 6,819 6,554 6,273 6,159
Total Assets $811B $885B $914B $962B $1.02T $1.06T $1.12T $1.17T
Avg. Asset Size $104M $117M $125M $136M $150M $162M $179M $190M
Net Worth (%) 10.61 9.89 10.06 10.21 10.43 10.77 10.96 10.92
ROA (%) -‐0.05 0.18 0.50 0.67 0.85 0.78 0.80 0.81
Delinquent Loans / Total Loans (%) 1.38 1.84 1.76 1.60 1.16 1.01 0.85 0.74
NCUA Update 4
Earnings have Improved, but Lag for Small Credit Unions
5
Percent Unprofitable by Asset Size (as of 12/31/14)
30.50%
12.20%
6.39%
3.24% 1.30%
0.88%
0.23%
0.45%
0.56% 0.63%
0.80%
0.97%
0.00%
0.20%
0.40%
0.60%
0.80%
1.00%
1.20%
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
35.0%
< $50M $50 -‐ $100 $100 -‐ $250 $250 -‐ $500 $500 -‐ $1B >$1B
% UnproVitable ROA (right axis)
NCUA Update
Income / Expense Breakdown
6 NCUA Update
Net interest income is s<ll weak, but offset by ongoing expense control and lower provisioning for loan losses
Problem Credit Unions Decreasing
7
Na<onwide CAMEL 3, 4, and 5 Ins<tu<ons
1,526 1,648
1,818 1,726 1,563 1,480 1,366 1,306
243
312
341 374
348 302
241 227
11
16
19 21
12
7
13 17
0
500
1,000
1,500
2,000
2,500
2008 2009 2010 2011 2012 2013 2014 2Q 2015
CAMEL 3 CAMEL 4 CAMEL 5
NCUA Update
SUPERVISORY PRIORITIES/REGULATORY INITIATIVES
NCUA Update 8
2015 Exam Priorities
NCUA Update 9
Key Risks • Cybersecurity • Interest Rate Risk • Bank Secrecy Act Compliance
Ini^a^ves • Liquidity • Mortgage Rules • Small Credit Union Exam Program
• Risk-‐Based Capital
Cyber Security
NCUA Update 10
Greater Concerns Over Access and Disrup4on • Increasing frequency of abacks • Rising financial losses and reputa^onal damage
Vulnerabili4es and Concerns in 2015 • Malware becoming even harder to detect and eliminate • Security bug infiltra<ons expected to increase (i.e., Heartbleed) • Email threats are increasing in sophis^ca^on • Security incidents in general expected to increase (i.e., SONY) • A[acks against mobile devices – with expanded device use, including
apps that gather data, illicit access to internal info and cloud-‐based applica^ons could increase
• A[acks against products connected to the Internet -‐ cars, appliances, toys/games, etc. (i.e., on-‐line PlaySta^on hacking shutdown in Dec 2014)
Cyber Security
NCUA Update 11
Some of the larger breaches occurring in 2014
• JP Morgan Chase – Breach of 76 mil personal acct. records / 8 mil business acct. records
• Home Depot – Compromise of 56 mil payment cards / 53 mil email addresses
• Sony – Illegal access of 47,000 social security numbers, hacked email accounts, leaked movies • Michaels – Stolen credit/debit card info affec^ng 3 mil records • Goodwill Industries – 330 stores compromised affec^ng 868k records • Kmart – Payment systems infected with malware,
compromising credit/debit cards – but apparently no customer impact
Cyber Security
NCUA Update 12
FFIEC -‐ Cybersecurity Assessment at 500+ Financial Inst. Found the level of cybersecurity inherent risk varies significantly across en<<es, as it relates to:
• Connec<on Types – private networks, wireless networks, local area networks , etc.
• Products and Services – each product and service can introduce specialized cybersecurity risks
• Technologies used – vast array of technology supports customers and employees, including core systems, ATMs, Internet/Mobile applica^ons, cloud compu^ng, etc. – all vulnerable to unauthorized access
Cyber Security
NCUA Update 13
NCUA Field Staff – Focusing on proac4ve measures being taken at credit unions, including:
• Encryp^ng Sensi^ve Data • Developing Comprehensive Informa^on Security Policy • Performing Due Diligence over 3rd Par^es Handling Data • Monitoring Cybersecurity Risk Exposure • Monitoring Transac^ons • Tes^ng Security Measures
Electronic and Internet-‐Based Services
Credit Unions Offering Services
(Na<onwide)
2008 2009 2010 2011 2012 2013 2014 2Q 2015
Mobile Banking
N/Av
431 (6%)
721 (10%)
1,126 (16%)
1,865 (27%)
2,403 (37%)
2,748 (44%)
2,896 (47%)
Remote Deposit Capture
N/Av 233 (3%)
283 (4%)
353 (5%)
509 (7%)
786 (12%)
1,211 (19%)
1,438 (23%)
Mobile Payments N/Av N/Av N/Av N/Av N/Av 374
(6%) 743 (12%)
915 (15%)
14 NCUA Update
With more credit unions offering electronic and internet-‐related services, cybersecurity measures rise in importance. N/Av – not available
Cyber Security
NCUA Update 15
Web Facing Security Connec^ons Mobile Applica^ons Monitoring Devices
Financial ins<tu<ons should focus on these cri<cal areas
Cyber Security Program Elements
NCUA Update 16
• Cyber Governance, Cyber Risk Management, Resources, Training & Culture
1) Cyber Risk Management & Oversight
• Intelligence Gathering, Monitoring & Analyzing, Informa<on Sharing
2) Threat intelligence & Collabora<on
• Preventa<ve Controls, Detec<ve Controls, Correc<ve Controls
3) Cybersecurity Controls
• Connec<ons, Rela<onships & Responsibili<es
4) External Dependency Management
• Incident Detec<on & Response, Mi<ga<on, Escala<on & Repor<ng, Resilience
5) Cyber Incident Management & Resilience
Cyber Security Best Practices
Resources are located at: www.ncua.gov
Source: SANS.org hbp://www.sans.org/cri^cal-‐security-‐controls
NCUA Update 17
Cyber Security Resources
Resources are located at: www.ncua.gov
NCUA Update 18
Cyber Security Resources
NCUA Update 19
Resources available at: www.ffiec.gov
S4ll a Primary Concern Due To: • Extended Asset Dura<ons (investments and loans)
• Ongoing low rate environment has CUs chasing yield -‐ lengthening investment terms to boost earnings
• Unrealized losses (available-‐for-‐sale investments)
• Uncertainty of economy-‐wide rate adjustments (Federal Reserve)
Metrics show some improvement in overall trends, but concern remains
Field Staff will closely monitor CU adherence to IRR Rule -‐ Requires CUs with assets over $50 million to implement a wriben IRR policy and program to iden^fy, measure, monitor, and control IRR *For further guidance on NCUA’s Interest Rate Risk Policy and Program, refer to NCUA Rules and RegulaHons – 12 CFR Part 741
Interest Rate Risk
NCUA Update 20
Exposure to Long-‐Term Investments
21 NCUA Update
Changing Interest Rate Environment
22 NCUA Update
Total Unrealized Gains/Losses
23 NCUA Update
Changing Interest Rate Environment
24 NCUA Update
Credit Union Deposit Rates and Three Month Treasury Bill Rate (Percent)
Interest Rate Risk Resources
Resources are located at: www.ncua.gov
NCUA Update 25
Bank Secrecy Act Compliance
NCUA Update 26
NCUA focusing on CU rela^onships with Money Services Businesses (MSB)
MSBs include: • Check Cashers, Prepaid Card Providers, Money Transmibers,
Foreign Currency Dealers, Money Order and Travelers Check Issuers
NCUA – Vigilantly ensuring credit unions are not laundering money or financing criminal/terrorist ac^vity
Bank Secrecy Act (BSA) prescribes recordkeeping and repor^ng requirements to detect illicit ac^vity
Bank Secrecy Act Compliance
NCUA Update 27
Examiners will verify that CU rela4onships with MSBs include:
• Customer Iden^fica^on
• Assurance that MSBs are registered with FinCEN and in compliance with state/local licensing requirements
• Risk measurements gauging risks associated with MSB accounts and enhanced due diligence when necessary
Bank Secrecy Act Compliance
NCUA Update 28
Non-‐Compliance Can Lead to Public Ac4ons and Fines
Example Credit Union with 1 branch, 5 Employees, $4.1M in assets • Significant BSA failures due to involvement with MSBs
• MSBs were located outside of CU’s geographic FOM, engaged in high-‐risk ac^vi^es (including wiring funds to high-‐risk jurisdic^ons)
• 2013 -‐ CU processed approx. $1 bil in outgoing wires and $985 mil in remote deposit capture (electronic check deposits)
• In one case, this CU engaged with a MSB, which provided financial services to other MSBs, and CU serviced secondary MSB accounts without BSA due diligence
Bank Secrecy Act Compliance
NCUA Update 29
This CU willfully violated BSA program requirements • Failed to develop and implement an adequate customer
Iden^fica^on program
• Failed to detect and adequately report suspicious transac^ons
• Failed to access or review FinCEN’s 314(a) lists Outcome NCUA issued a Cease and Desist Order
FinCEN levied a Civil Money Penalty equaling 50% of NW
Bank Secrecy Act Resources
NCUA Update 30
• December 2014 – FFIEC releases revised BSA/AML Examina^on Manual (updated from 2010 edi^on)
• December 2014 – NCUA issues Leber To Credit Unions (14-‐CU-‐10) -‐Iden^fying and Mi^ga^ng Risks of Money Services Businesses
Bank Secrecy Act Resources
NCUA Update 31
Bank Secrecy Act Resources
NCUA Update 32
FinCEN Resource Center
Bank Secrecy Act Resources
NCUA Update 33
FFIEC On-‐line Repository
Liquidity
NCUA Update 34
Liquidity Rule -‐ Effective March 31, 2014
Seeks to ensure all CUs conduct sound liquidity planning Tiered Requirements:
• Under $50 Million : Maintain a basic wriben liquidity policy providing a framework for managing liquidity and a list of con^ngent liquidity sources that can be employed in emergency situa^ons
• $50 Million to $250 Million: Wriben liquidity policy plus a con^ngency funding plan that clearly sets out strategies for emergency liquidity needs
• $250 Million+: In addi^on to a wriben liquidity policy and con^ngency funding plan, required to establish access to at least one con^ngent federal liquidity source: NCUA’s Central Liquidity Facility and/or the Federal Reserve’s Discount Window
NCUA field staff will be assessing compliance with the provision and evalua<ng con<ngent funding at CUs with assets of at least $250 million
Lending Programs
NCUA Update 35
NCUA con4nues to monitor trends in credit union programs, as new loan products and services emerge Field staff will con^nue to review lending programs to assess due diligence and risk management prac^ces *See NCUA LeOers to Credit Unions 10-‐CU-‐15 for further guidance
Lending Programs
NCUA Update 36
Credit Union Lending by Loan Type Billions of $
TILA-‐RESPA
NCUA Update 37
TILA-‐RESPA: Integrated Disclosure Rule
Created by Consumer Financial Protection Bureau – Effective August 1, 2015 (extended to 10/1)
Requires loan originators to provide consumers with: • Loan Estimate Form – combines Truth in Lending Act (TILA) disclosure
and Good Faith Estimate. To be delivered or mailed by 3rd business day from receipt of mortgage application
• Closing Disclosure Form – combines the Ainal TILA disclosure and HUD-‐1 Settlement Statement. To be provided at least 3 days prior to consummation of mortgage
• Rule also imposes record retention requirements and restricts mortgage originators from imposing certain fees, providing estimates, or requiring consumer veriAication of information prior to providing a Loan Estimate Form
Ability to Repay / QualiVied Mortgage Standards Rule
NCUA Update 38
CFPB’s rule enacted in response to the mortgage crisis
Applies to new mortgages made on or amer January 10, 2014
Requires mortgage lenders to consider 8 specific factors to assess a borrower’s repayment ability:
• Current or reasonably expected income or assets • Current employment status • Monthly mortgage payment for applied loan • Monthly mortgage payments on simultaneous loans secured by same property • Monthly payments for property taxes, insurance, etc. • Debts, alimony, child support obliga^ons • Monthly debt-‐to-‐income ra^o and residual income as a ra^o of gross income • Credit history
All Qualified Mortgages (QM) must meet these requirements
QualiVied Mortgage Standards Rule
NCUA Update 39
QM Features • Points and fees < or = to 3% of loan amount (<$100k, higher percentages are
allowed)
• No risky features like nega<ve amor<za<on, interest-‐only, or balloon loans
• Maximum loan term is less than or equal to 30 years
Three Main Categories • General QM – any loan mee^ng product feature requirements with a debt-‐to-‐
income ra^o of 43% or less
• GSE-‐eligible QM – any loan mee^ng product feature requirements and eligible for purchase, guarantee, or insurance by a GSE, FHA, VA, or USDA regardless of debt-‐to-‐income ra^o
• Small Creditor QMs – Loans by en^^es with less than $2bil in assets and origina^ng 500 or fewer 1st mortgages per year, will qualify as QMs so long as borrower’s debt-‐to-‐income ra^o is considered and verified
QualiVied Mortgage Standards Rule
NCUA Update 40
Other Aspects • Non-‐Qualified Mortgages – Any mortgage can be originated (QM or not) so
long as a reasonable, good-‐faith determina^on is made that member is able to repay based on common underwri^ng factors in compliance with the ability-‐to-‐repay rule
• Ban on Prepayment Penal<es – All FICUs are banned from assessing most prepayment penal^es (except on certain higher-‐priced non QMs with either fixed or step rates)
• Record Reten<on Requirement – Creditors must retain evidence that it complied with ability-‐to-‐repay requirements for at least 3 years aper loan origina^on
All field staff will review credit unions’ compliance with required provisions and ensure that mortgage lending programs are conducted in a sound manner
*See NCUA’s January 2014 LeOer to FICUs (14-‐CU-‐01) on CFPB’s Ability-‐to-‐Repay and Qualified Mortgage Rule
NCUA Update 41
Consumer Compliance Resources
Dodd-Frank Act Mortgage Lending Resources EFFECTIVE DATE UPDATE: CFPB has delayed the effective date of the TILA-RESPA Integrated Disclosure Rule from Aug. 1, 2015, until Oct. 3, 2015, through a notice available here. All references to the Aug. 1, 2015, effective date should be read to mean Oct. 3, 2015. Please note the new disclosures may not be used for applications received before the new effective date.
Flood Insurance Resources Fair Lending Compliance Resources Consumer Credit Resources Service Member Lending and Credit Resources Deposit Resources Additional Consumer Compliance Resources
NCUA Update 42
Credit Union ProViles
43
Small
Mid-‐Sized
Large
$50 Million
$250 Million
3,910 Units -‐ 63.5% $57.5 Bil in Assets -‐ 5.0%
1,443 Units -‐ 23.4% $163.1 Bil in Assets -‐ 14.0%
806 Units -‐ 13.1% $947.7 Bil in Assets -‐ 81.0%
Total Credit Unions = 6,159 Total Assets = $1.17 Trillion
As of June 30, 2015
NCUA Update
Small Credit Union Exam Program
NCUA Update 44
Small Credit Unions – FCU’s under $50 million in assets
In 2015, NCUA’s SCUEP will employ a defined-‐scope exam approach focusing on the primary risk areas at small CUs:
• Internal Controls / Recordkeeping / Lending
Small Credit Union Exam Program
NCUA Update 45
SCUEP -‐ Exam Scope will include more transac<ons tes<ng and a three-‐<ered review:
Risk-‐Based Capital
NCUA Update 46
History
Risk-‐Based Capital
NCUA Update 47
RBC Ra<o Thresholds
Major Changes to Risk-‐Based Capital
48
ü CUs below $100 million will be exempt
ü Risk-‐based threshold to be “Well Capitalized” lowered to 10.0%
ü Weighted Average Life removed from all risk weights
ü Key risk weights are significantly lower ü Four years to implementa<on in 2019
NCUA Update
QUESTIONS?
NCUA Update 49
OFFICE CONTACT PAGE
Feel free to contact our office with ques<ons or comments.
Regional Director: Myra M. Toeppe Email: [email protected]
Office Phone: 678-‐443-‐3000
NCUA Update 50